Public key encryption system

Abstract

This invention relates to a variant of the El-Gamal public key encryption scheme, which is provably secure against an adaptively chosen ciphertext adversary using standard public-key cryptography assumptions i.e. not the random oracle model. This new scheme has roughly half the computational overhead and similar communication overhead as the scheme by Cramer-Shoup.

Description

[0001] This invention relates to a public key encryption scheme and to a method of encrypting and/or decrypting using public key encryption.

[0002] In 1998 Cramer-Shoup (CS) (Cramer, R. and Shoup, V. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. CRYPTO'98. LNCS 1462, pg 13-25. Springer-Verlag, California, 1998) presented a new El-Gamal style (El-Gamal, T. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31, pg 469-472, 1985) public key encryption scheme that was the first efficient and provably secure scheme based solely on standard intractability assumptions. The contribution of CS was their scheme was efficient and yet did not rely on the random oracle (RO) assumption (see Bellare, M. and Rogaway, P. Optimal asymmetric encryption--how to encrypt with RSA.EUROCRYTP'94. LNCS 950, pg 92-111. Springer-Verlag, 1994 for more information on random oracles). However, schemes that rely on the RO model, are still more efficient than the CS scheme. Recent improvements to CS (see for example Shoup, V. Using hash functions as a hedge against chosen ciphertext attack. EUROCRYPT'00. LNCS 1807, pg 275-288. Springer-Verlag, 2000 (this is actually a key encapsulation scheme)) have increased its efficiency, but not to the point where it can compete with the best RO schemes.

[0003] Using the RO model or standard assumptions for a proof of security, represent opposite ends of the provable security spectrum. The RO model yields extremely efficient (see Bellare above) schemes yet practical implementations using hash functions cannot hope to achieve actual RO's. At the other end of the spectrum are the standard intractability assumptions, they give us much more confidence in security, yet the schemes that are available are still too inefficient (at least compared to RO schemes) for the majority of practical implementations.

[0004] It is an object of the present invention to address the above disadvantages to seek to provide a cryptosystem having more practical implementation together with more provable security.

[0005] According to a first aspect of the present invention a public key encryption scheme using a private key, z, and a public key, h, comprises the encryption of a message, m, within a ciphertext, wherein an element of the encrypted ciphertext containing the message is formed by a message product of a variable, .epsilon., based on the public key, h, and an output of an invertible deterministic method, .pi., operated on at least the message, m, and a hash, H, of at least the message.

[0006] The ciphertext preferably includes at least one random element, u.sub.1.

[0007] Preferably, the invertible deterministic method is operated on the message, m, an index, j, of the hash and a hash, H, over both the message, m, and at least one random element, u.sub.1, preferably two random elements u.sub.1, u.sub.2.

[0008] The variable, .epsilon., based on the public key is preferably the public key, h, raised to the power of a random number, r.

[0009] The ciphertext may be decrypted using a private key, z, the at least one random element u.sub.1, the message product, and the invertible deterministic method, .pi..

[0010] The invertible deterministic method, .pi., may be operated on a check for the decryption. The check may be the hash, H, over at least the message, m. Preferably, the hash, H, for the check is over the message and at least one random element, u.sub.1.

[0011] Preferably, the message product is represented by .epsilon..M, where .epsilon.=h.sup.r (r is random) and h=g.sub.1.sup.z, where g.sub.1 is a first generator, z is a randomly chosen private key and M=.pi. (m, j, t) where .pi. is the invertible deterministic method, m is the message, j is a random index of the hash and t=H.sub.j (m, g.sub.1.sup.r, g.sub.2.sup.r), where H.sub.j is the j.sup.th hash and g.sub.2 is a second generator.

[0012] The invertible deterministic method may be a squaring.

[0013] The ciphertext preferably includes said at least on random element, u.sub.1, preferably both random elements, u.sub.1, u.sub.2.

[0014] At least one of said random elements, u.sub.1, is preferably used to decipher the ciphertext, in conjunction with the private key, z, to determine the output, M, of the invertible deterministic method, .pi., which output is then preferably inverted to give an original input and hence the message, m.

[0015] According to a second aspect of the present invention a public key encryption/decryption method makes use of a ciphertext that includes a check element, t, wherein a check made during decryption is a hash, H, over at least the encrypted message, m.

[0016] Preferably, the hash, H, is over the message, m, and at least one random element, u.sub.1, preferably two random elements, u.sub.1, u.sub.2.

[0017] The invention thereby advantageously relies on the collision-free aspects of a hash. The hash may be SHA-1.

[0018] According to a third aspect of the present invention a public key encryption method includes creating a ciphertext requiring at most 4 exponentiations to encrypt, including exponentiations for each of at least two random elements, u.sub.1, u.sub.2 and an exponentiation for a public key, h, wherein a message for encryption does not require an exponentiation to encrypt.

[0019] The method preferably includes 3 exponentiations, being for a first random element, u.sub.1, a second random element, u.sub.2, and for the public key, h.

[0020] The method advantageously requires fewer exponentiations than previous methods, whilst still being provably secure, thus having a significantly lower computational overhead compared to previous methods.

[0021] According to a fourth aspect of the invention a public key decryption method includes decrypting a ciphertext with at most 2 exponentiations, including an exponentiation using a private key, z, to allow recovery of an encrypted message, m.

[0022] Preferably, only one exponentiation is required.

[0023] The method advantageously requires fewer exponentiations than existing methods, whilst still being provably secure. Thus there is a significantly lower computational overhead involved in decryption.

[0024] According to a fifth aspect of the invention a public key encryption/decryption method involves creating a ciphertext and decrypting the ciphertext, in which a public key requires no more than 3 group elements and a private key requires no more than one group element, whilst still providing a provably secure method.

[0025] The invention extends to a message encrypted according to any one of the previous aspects.

[0026] The invention extends to a recordable medium bearing a ciphertext encrypting a message encrypted according to the previous aspects.

[0027] The invention extends to a computer operable to perform any of the previous aspects.

[0028] The invention extends to a recordable medium bearing a computer program operable to perform any of the above aspects.

[0029] All of the features described herein may be combined with any of the aspects or parts of the invention as set out above.

[0030] A specific embodiment of the present invention will now be described with reference to the accompanying drawing, in which:

[0031] FIG. 1 is a schematic diagram of the encryption and decryption of a message.

[0032] Below is described a new public key encryption scheme, which starts to bridge the gap (discussed in the introduction above) in efficiencies of practical implementation of such encryption, while still having its security rely solely on standard intractability assumptions. Compared to the CS scheme mentioned above, this new scheme has a similar communication overhead but requires only 4 exponentiations in total (for both encryption and decryption) compared to 8 for the most efficient (pure public key) version of CS. In terms of offline storage, if CS and the new scheme are used in the same group, then CS requires 5 group elements to represent its public key and 5 for its private, whereas the new scheme requires 3 for its public key and 1 for its private. Thus the contribution of this invention is to present a provably secure public key encryption scheme based on standard intractability assumptions, where the efficiency of the scheme rivals those schemes that rely on the random oracle model.

[0033] FIG. 1 shows an encryption module 10, which forms part of a first computer 12. The encryption module 10 operates a computer program to encrypt a message 14 in a ciphertext 16. The message 14 encrypted in the ciphertext 16 is then transmitted or passed to a third party for decryption with a computer program running on a decryption module 18 of a second computer 20.

[0034] The implementation of the method described herein is applicable to all types of public key encryption already in use, for example the transmission of messages and data securely over computer networks, either local networks or global networks (such as the internet). The method can be used as a computer program and operated on a message to be encrypted and then decrypted by a user with the relevant key, as is well known in the art.

[0035] 1.1 Notation

[0036] We use standard notations and conventions for writing probabilistic algorithms and experiments. If A is a probabilistic algorithm, than A(x.sub.1, x.sub.2, . . . ; r) is the result of running A on inputs x.sub.1, x.sub.2, . . . and coins r. We let y.rarw.A(x.sub.1, x.sub.2, . . . ) denote the experiment of picking r at random and letting y be A(x.sub.1, x.sub.2, . . . ; r). If S is a finite set then x.rarw.S (or x.di-elect cons..sub.R S) is the operation of picking an element uniformly from S.

[0037] If b is a bit then {overscore (b)} is its complement. {0,1}* is a binary string of arbitrary length and {0,1}.sup.l is a binary string of length l. The length of a string x is denoted by .vertline.x.vertline., and the concatenation of strings x and y is denoted by x.parallel.y. The ith bit of x is denoted by x.sub.i and the substring of x from x.sub.i to x.sub.j, where i.ltoreq.j, is denoted by x.sub.[i]. A function .function.: .fwdarw. is negligible if for every constant c.gtoreq.0 there exists an integer k.sub.c such that .function.(k).ltoreq.k.sup.-c for all k.gtoreq.k.sub.c.

[0038] 1.2 Definitions

[0039] Industinguishability of encryptions against an adaptive chosen ciphertext (IND-CCA2) adversary is the standard accepted notion of security for a public key encryption scheme. The basic idea behind an IND-CCA2 adversary is they are given access to an encryption and decryption oracle, they then choose two messages, one of which gets encrypted (they do not know which). They are then presented with the ciphertext of the encrypted message and asked to determine which of the two messages was encrypted. They must succeed with probability non-negligibly better than 1/2. The only restriction is the adversary may not query the decryption oracle with the challenge ciphertext.

[0040] We consider the adversary A as running in two stages, a `find` stage and a `guess` stage. The find stage is responsible for finding the pair of messages (it will also output some state information s) and the guess stage is responsible for determining which message was encrypted in the challenge ciphertext.

[0041] A formal definition of IND for any type of attack is given in Definition 1, but for a more complete treatise on this area see Bellare, M., Desai, A., Pointcheval, D., and Rogaway, P. Relations among notions of security for public-key encryption schemes. CRYPTO'98. LNCS 1462, pg 26-45. Springer-Verlag, California, 1998. For example other types of attack are CPA and CCAI, see below for definitions. In the definition (.cndot.) is a probabilistic key generation algorithm, (.cndot.) is a probabilistic encryption algorithm, (.cndot.) is a deterministic decryption algorithm and (.cndot.) is an oracle. The public and secret key are represented by pk and sk, respectively.

[0042] Definition 1 [IND-CPA, IND-CCA1, IND-CCA2] Let .PI.= be an encryption scheme and let A be an adversary. For atk.di-elect cons.{cpa, cca1, cca2} and k.di-elect cons. let Advantage.sub.A,.PI..sup.ind-atk(k)=- 2.multidot.Pr[pk,sk).rarw.(1.sup.k); (x.sub.0,x.sub.1,s).rarw.A.sup.O.sup.- .sub.1(find, pk); b.rarw.{0,1};

[0043] y.rarw..sub.pk(x.sub.b): A.sup.O.sup..sub.2 (guess,x.sub.0,x.sub.1,- s,y)=b]-1

[0044] where

1 If atk = cpa then O.sub.1(.) = null and O.sub.2 (.) = null If atk = cca1 then O.sub.1(.) = D.sub.sk(.) and O.sub.2(.) = null If atk = cca2 then O.sub.1(.) = D.sub.sk(.) and O.sub.2(.) = D.sub.sk(.)

[0045] It is insisted that A(find, .cndot.) outputs x.sub.0, x.sub.1 with .vertline.x.sub.0.vertline.=.vertline.x.sub.1.vertline.. In the case of CCA2, it also insisted that A(guess, .cndot.) does not ask its oracle to decrypt y. We say that .PI. is secure in the sense of IND-ATK if A being polynomial-time implies that Advantage.sub.A..PI..sup.ind-atk(.cndot.) is negligible.

[0046] 2 The Basic Scheme

[0047] We encrypt messages m.di-elect cons.{0,1}.sup.n-2k and also require a hash function H.sub.j: {0,1}.sup.*.fwdarw.{0,1}.sup.k chosen from a family of universal one-way hash functions indexed by j. All operations are performed in the group G of order q (q is a large prime) in which there exists two generators g.sub.1 and g.sub.2. There also exists some (invertible) deterministic method .pi.(.cndot.) to encode a message as an element of G.

[0048] The private key is a randomly chosen z.di-elect cons.Z.sub.q and the public key is h=g.sub.1.sup.z.

[0049] Encryption. We choose r.di-elect cons..sub.R Z.sub.q, j.di-elect cons..sub.R Z.sub.2k and compute .epsilon.=h.sup.r, t=H.sub.j(m, g.sub.1.sup.r, g.sub.2.sup.r) and M=.pi.(m, j, t). The ciphertext is then

(u.sub.1, u.sub.2, e)=(g.sub.1.sup.r, g.sub.2.sup.r, .epsilon..multidot.M)

[0050] Decryption. To decrypt (u.sub.1, u.sub.2, e) we compute .epsilon.=u.sub.1.sup.z, 1 M = e

[0051] and recover the message from m, j, t=.pi..sup.-1(M). Finally we check

t=H.sub.j(m, u.sub.1, u.sub.2)

[0052] If this holds we accept the message otherwise we reject.

[0053] If the group G is chosen to be the set of quadratic residues a possible encoding method .pi.(.cndot.) would be simple squaring (given m.parallel.j.parallel.t was interpreted as an element of Z.sub.p modulo a large prime p of the form 2q+1). Then in step 2 of the decryption, if neither square root yields a correct hash then the output is also .O slashed..

[0054] The scheme described above has significant advantages over the Cramer Shoup (CS) scheme because the number of exponentiations (a good guide to computational overhead) is only three in the encryption (.epsilon.=h.sup.r, g.sub.1.sup.r, and g.sub.2.sup.r), whereas in CS 5 exponentiations are required (g.sub.1.sup.r, g.sub.2.sup.r, e=h.sup.rm and v=c.sup.rd.sup.r.alpha..

[0055] In decryption the present scheme requires one exponentiation for decryption (.epsilon.=u.sub.1.sup.z), whereas CS requires three (u.sub.1.sup.z, u.sub.1.sup.x.sup..sub.1.sup.+y.sup..sub.1.sup..alpha., and u.sub.2.sup.x.sup..sub.2.sup.+y.sup..sub.2.sup..alpha.)

[0056] Consequently, the present scheme requires four exponentiations whereas CS requires eight to encrypt and decrypt; this represents a halving in the computational overhead of the present scheme when compared to CS.

[0057] In addition, the security is provable (see below) in the present scheme to a level that is comfortably within the definition of negligible.

[0058] In the present scheme reliance is made on the collision free properties of the hash function to provide the check. CS uses a hash in the check (two times in fact), but it is within the complex checking equation u.sub.1.sup.x.sup..sub.1.sup.+y.sup..sub.1.sup..alpha.u.sub.2.su- p.x.sup..sub.2.sup.+y.sup..sub.2.sup..alpha.=v. A hash function on M, u.sub.1 and u.sub.2 in the present scheme provides greater simplicity with good security and a computational overhead benefit, as discussed above.

[0059] In the following a proof of security is given. Although such a proof is beneficial it is not necessary to have the proof to implement the scheme; it is merely a confirmation of the security given by the scheme.

[0060] 3 Proof of Security

[0061] 3.1 DDHP

[0062] All the proofs rely on the difficulty of the Decision Diffie-Hellman Problem (DDHP), the definition of which, from Cramer, R. and Shoup, V. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. CRYPTO'98. LNCS 1462, pg 13-25. Springer-Verlag, California, 1998 is given below.

[0063] Definition 2--[Cramer Shoup (above), pg. 16] Let G be a group of large prime order q, and consider the following two distributions:

[0064] the distribution R of random quadruples (g.sub.1, g.sub.2, u.sub.1, u.sub.2).di-elect cons.G.sup.4;

[0065] the distribution D of quadruples (g.sub.1, g.sub.2, u.sub.1, u.sub.2).di-elect cons.G.sup.4, where g.sub.1, g.sub.2 are random, and u.sub.1=g.sub.1.sup.r and u.sub.2=g.sub.2.sup.r for random r.di-elect cons..sub.q.

[0066] An algorithm that solves the DDHP is a statistical test that can effectively distinguish these two distributions.

[0067] 3.2 The Full Scheme

[0068] We will prove the security of the basic scheme by proving the security of an equivalent cryptosystem; a `full` version of the basic scheme, this is presented below.

[0069] The full scheme encrypts messages m.di-elect cons.{0,1}.sup.n-2k and requires a hash function H.sub.j: {0,1}.sup.*.fwdarw.{0,1}.sup.k chosen from a family of universal one-way hash functions indexed by j. All operations are performed in the group G of order q (q is a large prime) in which there exists two generators g.sub.1 and g.sub.2. There also exists some (invertible) deterministic method .pi.(.cndot.) to encode a message as an element of G.

[0070] The private key is two randomly chosen elements z.sub.1, z.sub.2.di-elect cons.Z.sub.q and the public key is h=g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2.

[0071] Encryption. We choose r.di-elect cons..sub.R Z.sub.q, j.di-elect cons..sub.R Z.sub.k and compute .epsilon.=h.sup.r, t=H.sub.j(m, u.sub.1, u.sub.2) and M=.pi.(m, j, t). The ciphertext is then

(u.sub.1, u.sub.2, e)=(g.sub.1.sup.r, g.sub.2.sup.r, .epsilon..multidot.M)

[0072] Decryption. To decrypt (u.sub.1, u.sub.2, e) we compute .epsilon.=u.sub.1.sup.z.sup..sub.1u.sub.2.sup.z.sup..sub.2, 2 M = e

[0073] and recover the message from m, j, t=.pi..sup.-1(M). Finally we check

t=H.sub.j(m, u.sub.1, u.sub.2)

[0074] If this holds we accept the message otherwise we reject.

[0075] 3.3 Reducing the Full Scheme to the Basic Scheme

[0076] We show that the security of the fill scheme implies the security of the basic scheme. Let B be an IND-CCA2 adversary with an advantage in breaking the basic scheme. We will use B to construct an IND-CCA2 adversary A with an advantage in breaking the full scheme. The basic idea behind this reduction is that B will be given a public key of the form g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2, instead of g.sub.1.sup.z, but B will not be able to tell the difference and this allows A to use B's advantage.

[0077] We now define adversary A. A can run in two stages, a `find` stage and a `guess` stage. The find stage is responsible for finding a pair of messages to distinguish (it will also output some state information s) and the guess stage is responsible for distinguishing which message was encrypted in the challenge ciphertext. Let .sub.A(.cndot.) be the decryption oracle that A has access too.

2 Algorithm A(find, g.sub.1, g.sub.2, h, q, G) Run B(find, g.sub.1, g.sub.2, h, q, G) When B makes a decryption query, y', respond with m .rarw. D.sub.A( y') B returns (m.sub.0, m.sub.1, s) A returns (m.sub.0, m.sub.1, s) Algorithm A(guess, m.sub.0, m.sub.1, s, y) Run B(guess, m.sub.0, m.sub.1, s, y) When B makes a decryption query, y' respond with m .rarw.D.sub.A( y') B returns b' A returns b'

[0078] Any valid ciphertext that B produces will be of the form (u.sub.1, u.sub.2,(g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2).sup.rM) since B encrypts with public key h=g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..s- ub.2 hence any valid ciphertexts can be passed to .sub.A(.cndot.) and will be correctly decrypted. It follows that if B has an advantage then so does A.

[0079] 3.4 The Hash Function

[0080] We shall recall some results from Carter, J. L., Wegman, M. N. Universal Classes of Hash Functions. Journal of Computer and System Sciences, 18, 143-154 (1979) about universal hash functions.

[0081] Let all hash functions map a set into a set (and assume >). If H is a hash function and x, y.di-elect cons.A, we define

3 .delta..sub.H(x,y) = 1 if x .noteq. y and H(x) = H(y) {open oversize brace} 0 otherwise

[0082] If .delta..sub.H(x, y)=1, then we say x and y collide under H.

[0083] Let be a class of functions from to . We say that is universal.sub.2 (the subscript indicates pairs) if for all x, y in , .delta..sub.H(x, y).ltoreq./. That is, is universal.sub.2 if no pair of distinct keys collide under more than (1/)th of the functions.

[0084] We will now recall the proposition from [Wegman and Cater] that we require for this paper.

[0085] Proposition [Wegman and Cater (above), pg146]--Let x be any element of and any subset of . Let H be a function chosen randomly from a universal.sub.2 class of functions (with equal probabilities on the functions). Then the mean value of .delta..sub.H(x, y) .ltoreq./.

[0086] Hence in this paper we are careful to use a hash function that is randomly selected from a class of universal one-way hash functions, thus making the probability of finding a collision, in the absence of any other information, 1/.

[0087] Of course for the sake of correctness of the proof of security a universal one-way hash function should be used, but practical security is unlikely to be compromised by the use of more `off-the-shelf` hash functions like SHA-1, and so these could be used in an implementation of the scheme.

[0088] 3.5 Sketch of the Proof of Security

[0089] Now we show that the full scheme is secure against an IND-CCA2 adversary. First we give the construction of the proof (which is the same as that of CS). It is assumed there exists an adversary A that can break the full scheme in the IND-CCA2 sense and then we show how this adversary can unwittingly be used to help solve what is considered a computationally unfeasible problem, in this case the DDHP.

[0090] The proof requires the construction of a simulator. Quadruples from either D or R (but not both) are input to the simulator, which is then responsible for, the creation of keys, simulation of an encryption oracle and simulation of a decryption oracle. The adversary receives all its information, including oracle queries, from the simulator.

[0091] The proof runs as follows. A quadruple is input and the simulator creates a valid secret key and public key. The simulator runs the find stage of A, and A returns two messages, m.sub.0 and m.sub.1. The simulator then runs the simulated encryption oracle which chooses a random bit b.di-elect cons.{0, 1}, encrypts Mb and outputs the challenge ciphertext. The adversary cannot see the simulated encryption oracle's choice for b.

[0092] The simulator then inputs the challenge ciphertext to the guess stage of the A, and A outputs its guess, b', for the random bit. Both the simulator and the adversary pass b and b' respectively to a distinguisher that outputs 1 if b=b' otherwise 0.

[0093] When the input quadruple comes from R, the adversary A cannot succeed in guessing b with any advantage. Alternatively, when the input comes from D, then the simulator creates a perfectly valid ciphertext and A can guess the bit b with its advantage.

[0094] Hence by observing the distribution of 0's and 1's that are output by the distinguisher, it can be determined which distribution the quadruples are coming from. If the quadruples are coming from R then 1's will occur with probability 1/2 and 0's with probability 1/2. The adversary will only be correct half the time, as it has no advantage. If the quadruples come from D then the adversary has an advantage and 1's will occur with probability 1/2+.alpha. (where a is the adversary's non-negligible advantage) and 0's with probability 1/2-.alpha..

[0095] Hence, by observation of the output distribution, one has a statistical test for the DDHP.

[0096] 3.6 IND-CCA2 Security for the Full Scheme

[0097] Theorem 2--If the Diffie-Hellman Decision Problem is hard in the group G, then the scheme is secure against an adaptive chosen ciphertext attack.

[0098] First the simulator is described. On input the DDH quadruple (g.sub.1, g.sub.2, u.sub.1, u.sub.2) the simulator randomly chooses two private keys z.sub.1, z.sub.2.di-elect cons.Z.sub.k and outputs the public key as h=g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2.

[0099] The simulator simulates the encryption oracle as follows. On input two messages m.sub.0 and m.sub.1 it selects a random bit b.di-elect cons.[0, 1], a random number j.di-elect cons..sub.R Z.sub.k and computes:

e=(u.sub.1.sup.z.sup..sub.1u.sub.2.sup.z.sup..sub.2) .multidot..pi.(m.sub.b, j, H(m, j, u.sub.1, u.sub.2))

[0100] The simulated encryption oracle outputs the ciphertext (u.sub.1, u.sub.2, e).

[0101] The simulated decryption oracle simulates the decryption algorithm as follows. On input (u.sub.1, u.sub.2, e) it computes: 3 M = e ( u 1 z 1 u 2 z 2 ) m, j, t=.pi..sup.-1(M)

[0102] If H(m, j, u.sub.1, u.sub.2)=t the simulated decryption oracle outputs m, else it outputs .O slashed..

[0103] The aim now is to show that when the input comes from D the simulator simulates the encryption and decryption oracles perfectly (probabilistically) and the advantage of the adversary is apparent at the distinguisher. Alternatively, if the input comes from R then the aim is to show that the adversary can have no advantage in guessing b.

[0104] The theorem follows from the following two lemmas.

[0105] Lemma 1--When the simulator's input comes from D, the simulator simulates the encryption and decryption oracles perfectly.

[0106] The output of the simulated encryption oracle is exactly the same as the output of the real decryption oracle as u.sub.1.sup.z.sup..sub.1u.- sub.2.sup.z.sup..sub.2=g.sub.1.sup.rz.sup..sub.1g.sub.2.sup.rz.sup..sub.2=- (g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2).sup.r=h.sup.r and so the ephemeral key is the same for both oracles.

[0107] If the simulated encryption oracle produces an indistinguishable output from the actual encryption oracle (true since the ephemeral key has the right form and otherwise the simulation is identical in computation to the real oracle), and the simulated decryption oracle behaves in the exactly same way as the actual decryption oracle (they are also identical), then the adversary's view is indistinguishable from their view in an actual attack.

[0108] Lemma 2--When the simulator's input comes from R, the distribution of the hidden bit is (essentially) independent from the adversary's view.

[0109] When the quadruple comes from R we have u.sub.1=g.sub.1.sup.r.sup..- sub.1 and u.sub.2=g.sub.2.sup.r.sup..sub.2. We will show that the adversary's view is independent of the hidden bit b by showing that if no information about the secret keys is leaked, then the challenge ciphertext is equally likely to be the encryption of m.sub.0 or m.sub.1, or in fact any message.

[0110] Assuming the simulated decryption oracle only decrypts valid ciphertexts, we now show that no information about the secret keys is leaked by a valid ciphertext. Consider the following equations from the public key and a valid ciphertext.

log h=z.sub.1+wz.sub.2

log .epsilon.=r log h=rz.sub.1+rwz.sub.2

[0111] Where g.sub.2=g.sub.1.sup.w and log refers to log.sub.g.sub..sub.1. Clearly they are linearly dependant and leak no information about z.sub.1 or z.sub.2.

[0112] Now consider the output of the simulated encryption oracle, here we derive the following equation.

log .epsilon.=r.sub.1z.sub.1+r.sub.2wz.sub.2

[0113] We can arrange this and the public key equation as a set of linear equations. 4 ( 1 w r 1 wr 2 ) ( z 1 z 2 ) = ( log h log )

[0114] The determinant of the matrix is non-zero w(r.sub.2-r.sub.1).noteq.- 0, and so these equations have a solution z.sub.1 and z.sub.2 for any e, making its possible values a permutation on G.

[0115] This means .epsilon. hides M.sub.b, as for every possible M.sub.b there is an e consistent with e (e is fixed), and that .epsilon. can be constructed from a pair of secret keys z.sub.1 and z.sub.2 that are consistent with the public key.

[0116] Hence there exists an .epsilon. that decrypts the challenge ciphertext e to any M. M could be any element of the group, but in fact it may be invalid in the sense of not satisfying M=.pi.(m, j, t) for any possible m, j and t, or if it satisfies M=.pi.(m, j, t) for some m, j and t then the relation t=H(m, j, u.sub.1, u.sub.2) may not be satisfied. The probability of choosing an .epsilon. that decrypts e to an invalid M depends on .pi.(.cndot.), and we can say without loss of generality that for all `good` choices of .pi.(.cndot.) (see section 2 for a suggestion), the probability that an adversary guesses a correct e is O(2.sup..vertline.j.vertline.)/q, as there will be O(2.sup..vertline.j.vertline.) valid M for a specific message. If, for example, .pi.(.cndot.) performed a one-to-one mapping from its input to group elements then (for the IND-CCA2 game) there would be 2.sup..vertline.j.vertline.+1 valid Mrs. For an appropriate .vertline.j.vertline. it is a computationally infeasible problem to guess a correct .epsilon.. Importantly, all messages have 2.sup..vertline.j.vertline. valid M's, hence an adversary has an equal chance of finding an c that gives a valid M for any message, and specifically an equal chance of finding an M giving m.sub.0 or m.sub.1, and so the adversary can have no advantage in distinguishing between them.

[0117] The above argument relies on the simulated decryption oracle rejecting all invalid ciphertexts; otherwise information about z.sub.1 and z.sub.2 may be leaked. Let a valid ciphertext be (u.sub.1, u.sub.2, e), and an invalid one be (u.sub.1', u.sub.2', e'). We consider possibly ciphertexts submitted to the simulated decryption oracle.

[0118] 1) (u.sub.1', u.sub.2', e). If u.sub.1 or u.sub.2 (or any combination thereof) is changed, then if the resulting ciphertext was decrypted by the simulated decryption oracle this would violate the collision property of the universal one-way hash function. If the universal one-way hash function was chosen at random then there is only a negligible chance (in the size of the output of the hash) that a collision can be found (see section 3.4).

[0119] 2) (u.sub.1, u.sub.2, e'). The ephemeral key depends only on u.sub.1 and u.sub.2, and we know these are unchanged, so the same ephemeral key as was used to encrypt will be calculated by the simulated decryption oracle. When e' is divided by the ephemeral key, a multiple of M will be the result, call it aM. An upper bound on the number of possible valid M's is 2.sup..vertline.m.vertline.+.vertline.j.vertline., .alpha. is chosen from the group, which has size q, which upper bounds the probability an adversary can guess an .alpha. that creates a valid M (with a message that is more than likely unrelated to m.sub.b) as 2.sup..vertline.m.vertline.+.vertline.j.vertline./q. If these parameters are chosen correctly this probability is negligible.

[0120] The adversary will attempt to do better than just guessing. However, without knowing j an adversary cannot hope to reproduce or modify e to e' in any way better than guessing, to cause the simulated decryption to decrypt e'.

[0121] 3) (u.sub.1', u.sub.2', e'). This case is similar to case 2). Now (essentially) any e' is valid as long as u.sub.1' and u.sub.2' cause the hash check to pass, but this represents a worse probability of success than case 2) as with the lack of any other information the probability of success is 1/q.sup.2.

[0122] Thus, the simulated decryption oracle will reject all invalid ciphertexts, except with negligible probability.

[0123] Hence if the DDHP is a computationally unfeasible problem then an IND-CCA2' attacker for the fill scheme cannot exist.

[0124] 4 Conclusion

[0125] A new scheme was created which was shown to be provably secure against an IND-CCA2 adversary. The advantage of this new scheme is that it is roughly twice as efficient as CS in terms of computational overhead and has similar communication overhead, and that its proof relies only on standard intractability assumptions (it does not require the RO assumption).

Claims

1. A public key encryption scheme using a private key, z, and a public key, h, comprises the encryption of a message, m, within a ciphertext, wherein an element of the encrypted ciphertext containing the message is formed by a message product of a variable, .epsilon., based on the public key, h, and an output of an invertible deterministic method, .pi., operated on at least the message, m, and a hash, H, of at least the message.

2. A public key encryption scheme as claimed in claim 1, wherein the ciphertext includes at least one random element, u.sub.1.

3. A public key encryption scheme as claimed in claim 1, wherein the invertible deterministic method is operated on the message, m, an index, j, of the hash and a hash, H, over both the message, m, and at least one random element, u.sub.1.

4. A public key encryption scheme as claimed in claim 1, wherein the variable, .epsilon., based on the public key is the public key, h, raised to the power of a random number, r.

5. A public key encryption scheme as claimed in claim 1, wherein the ciphertext is decrypted using a private key, z, the at least one random element u.sub.1, the message product, and the invertible deterministic method, .pi..

6. A public key encryption scheme as claimed in claim 1, wherein the invertible deterministic method, .pi., is operated on a check for the decryption.

7. A public key encryption scheme as claimed in claim 6, wherein, the hash, H, for the check is over the message and at least one random element, u.sub.1.

8. A public key encryption scheme as claimed in claim 1, wherein the message product is represented by .epsilon..M, where .epsilon.=h.sup.r (r is random) and h=g.sup.z, where g.sub.1 is a first generator, z is a randomly chosen private key and M=.pi.(m, j, t) where .pi. is the invertible deterministic method, m is the message, j is a random index of the hash and t=H.sub.j (m, g.sub.1.sup.r, g.sub.2.sup.r), where H.sub.j is the j.sup.th hash and g.sub.2 is a second generator.

9. A public key encryption scheme as claimed in claim 1, wherein the ciphertext includes said at least one random element, u.sub.1.

10. A public key encryption scheme as claimed in claim 1, wherein at least one of said random elements, u.sub.1, is used to decipher the ciphertext, in conjunction with the private key, z, to determine the output, M, of the invertible deterministic method, .pi., which output is then inverted to give an original input and hence the message, m.

11. A public key encryption/decryption method makes use of a ciphertext that includes a check element, t, wherein a check made during decryption is a hash, H, over at least the encrypted message, m.

12. A public key encryption/decryption method as claimed in claim 11, wherein the hash, H, is over the message, m, and at least one random element, u.sub.1.

13. A public key encryption method includes creating a ciphertext requiring at most 4 exponentiations to encrypt, including exponentiations for each of at least two random elements, u.sub.1, u.sub.2 and an exponentiation for a public key, h, wherein a message for encryption does not require an exponentiation to encrypt.

14. A public key encryption method as claimed in claim 13, wherein the method includes 3 exponentiations, being for a first random element, u.sub.1, a second random element, u.sub.2, and for the public key, h.

15. A public key encryption/decryption method includes decrypting a ciphertext with at most 2 exponentiations, including an exponentiation using a private key, z, to allow recovery of an encrypted message, m.

16. A public key encryption/decryption method as claimed in claim 15, wherein only one exponentiation is required.

17. A public key encryption/decryption method involves creating a ciphertext and. decrypting the ciphertext, in which a public key requires no more than 3 group elements and a private key requires no more than one group element, whilst still providing a provably secure method.